b'  DEPARTMENT OF HOMELAND SECURITY\n\n           Office of Inspector General\n\n          Special Report: Letter on Information\n          Technology Matters Related to TSA\xe2\x80\x99s\n             FY 2005 Financial Statements\n                      (Redacted)\n\n\n\n\n Notice: The Department of Homeland Security, Office of Inspector General, has redacted\n this report for public release. The redactions are identified as (b)(2), comparable to 5\n U.S.C. \xc2\xa7 552 (b)(2). A review under the Freedom of Information Act will be conducted upon\n request.\n\n\n\n\nOIG-07-18                                                      December 2006\n\x0c                                                                       Office of Inspector General\n\n                                                                       U.S. Department of Homeland Security\n                                                                       Washington, DC 20528\n\n\n\n\n                                     December 8, 2006\n\n\n                                             Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established by\nthe Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector General\nAct of 1978. This is one of a series of audit, inspection, and special reports published by our office\nas part of our DHS oversight responsibility to promote economy, efficiency, and effectiveness within\nthe department.\n\nThis special report presents a letter on information technology (IT) matters related to TSA\xe2\x80\x99s FY\n2005 financial statements prepared by the independent public accounting firm KPMG LLP (KPMG).\nWe engaged KPMG to audit TSA\xe2\x80\x99s FY 2005 financial statements. KPMG did not complete their\naudit because TSA did not provide KPMG with final financial statements on which KPMG could\nreport.\n\nThe recommendations herein have been discussed in with those responsible for implementation. It is\nour hope that this report with KPMG\xe2\x80\x99s attached letter will result in more effective, efficient, and\neconomical operations. We express our appreciation to all of those who contributed to the\npreparation of this report.\n\n\n\n\n                                             Richard L Skinner \n\n                                             Inspector General\n\n\x0c                                                                           Attachment A\n\n\n\n\nSpecial Report: Letter on Information Technology Matters Related to TSA\xe2\x80\x99s FY 2005\n                               Financial Statements\n                                       A.1\n\x0c                                                                                                              Attachment A\n\n                         SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nThe U.S. Coast Guard\xe2\x80\x99s -------------- ------------------- hosts key financial applications for the U.S.\nDepartment of Homeland Security\xe2\x80\x99s (DHS) Transportation Security Administration (TSA). As such, our\naudit procedures over IT general controls for TSA included a review of the Coast Guard\xe2\x80\x99s ----------\nprocedures, policies, and practices. While we noted that ---------- took corrective actions to address prior\nyear IT control weaknesses that impact the TSA financial processing environment, we continued to find\nIT general control weaknesses. Collectively, the IT control weaknesses limited TSA\xe2\x80\x99s ability to ensure\nthat critical financial and operational data was maintained in such a manner to ensure confidentiality,\nintegrity, and availability. In addition, these weaknesses negatively impacted the internal controls over\nTSA financial reporting and its operation.\n\nWe noted that many of the conditions identified during our prior year audits, which impact TSA financial\nprocessing, have not been corrected because challenges continue to exist related to the merging of\nnumerous IT functions, controls, processes, and overall organizational shortages. During FY 2005, the\nCoast Guard ---------- took steps to help address known weaknesses, such as conducting periodic\nvulnerability assessments of security controls, increasing controls over access to sensitive application\nfunctions, and implementing practices that adhere to guidance issued in the update to DHS Policy 4300A,\nSensitive System Handbook.\n\nDespite these improvements, TSA and Coast Guard management should ensure that there is emphasis on\nthe monitoring and enforcement of IT security-related policies and procedures. On-going measures to\ncertify and accredit key financial systems hosted by -- -------- and implement effective disaster recovery\nand continuity of operations controls need to be completed. Additionally, many of the repeat\nvulnerabilities in system access and configuration controls that were identified during technical security\ntesting can be addressed by instituting a formal process for performing scans of the ------ ---- network\nenvironment to ensure that security settings, once instituted, remain in place and to identify vulnerabilities\nthat require correction.\n\n                                IT GENERAL CONTROL FINDINGS BY AREA\n\nEntity-Wide Security Program Planning and Management\n\nDuring FY 2005, we noted that the Coast Guard -- -------- had made progress towards improving entity-\nwide security program planning and management. However, the Coast Guard ------ ---- has not\ncompleted Certification and Accreditation (C&A) efforts for the -------------------------- ----- ----------\n--------------------------------------- ----- ------------------ ----------------------- ---- -----------------------------------\nParticularly, security testing and evaluation was incomplete and security plans had not been updated.\n\nRecommendation:\nEntity-wide security program planning and management controls should be in place to establish a\nframework and continuing cycle of activity to manage security risk, develop security policies, assign\nresponsibilities, and monitor the adequacy of computer security related controls. We recommend that the\nTSA Chief Financial Officer (CFO) and Chief Information Officer (CIO) offices work with ------------\nmanagement and the Coast Guard CIO, to ensure that the C&A process for key financial systems\naffecting TSA processing is completed, including the completion of security tests and evaluations and the\nupdate of security plans.\n      Special Report: Letter on Information Technology Matters Related to TSA\xe2\x80\x99s FY 2005\n                                     Financial Statements\n                                             A.2\n\x0c                                                                                                    Attachment A\n\n\n\nAccess Controls\n\nIn close concert with an organization\xe2\x80\x99s entity-wide information security program, access controls for\ngeneral support systems and applications should provide reasonable assurance that computer resources\nsuch as data files, application programs, and computer-related facilities and equipment are protected\nagainst unauthorized modification, disclosure, loss, or impairment. Access controls are facilitated by an\norganization\xe2\x80\x99s entity-wide security program. Such controls include physical controls, such as keeping\ncomputers in locked rooms to limit physical access, and logical controls, such as security software\nprograms designed to prevent or detect unauthorized access to sensitive files. Inadequate access controls\ndiminish the reliability of computerized data and increase the risk of destruction or inappropriate\ndisclosure of information.\nDuring FY 2005, we noted that the Coast Guard ---------- began conducting periodic vulnerability\nassessments to identify system and network security risks. While this resulted in a reduced number of\nidentified vulnerabilities, we did note several repeat access control weaknesses, including some related to\naccess control vulnerabilities with ------------------- --------------------------------- ------------ -- . These are\nsignificant issues because personnel inside the organization who best understand the organization\xe2\x80\x99s\nsystems, applications, and business processes are able to obtain unauthorized access to some systems and\napplications. Some of the identified vulnerable devices are used for ---- and ---------------- purposes. In\nsome cases, users are able to access test and development devices with group passwords, system default\npasswords, or the same passwords with which they log into -------------------- --- As a result, ---------\n----------- --- ---------- could be a target of hackers/crackers to obtain information (i.e., ----------- ------\n-------- ) that can be used to attempt further access into the DHS IT environment.\n\nConditions noted at the Coast Guard ---------- regarding access controls that impact TSA\xe2\x80\x99s financial\nprocessing are as follows:\n    \xe2\x80\xa2   Instances of missing and weak user passwords on ---- -------------------------- were identified.\n    \xe2\x80\xa2   Instances were identified where workstations, servers, or network devices were configured\n        without necessary security patches, or were not configured in the most secure manner.\n    \xe2\x80\xa2   Policies and procedures requiring local security administrators to periodically revalidate ----- user\n        profiles were not implemented. Additionally, evidence of reviews of ----- for the removal of\n        accounts for separated personnel was not available.\n    \xe2\x80\xa2   High-level ------- database administrator, system administrator, and system accounts were not\n        actively monitored.\n    \xe2\x80\xa2   Procedures for the authorization, regular review, and removal of data center physical access were\n        not formalized and were inconsistent.\n    \xe2\x80\xa2   Information system-related items (e.g., hardware, software, and electronic media) entering and\n        exiting the -- -------- facility were not adequately tracked or recorded.\n\nRecommendation:\nWe recommend that the TSA CFO and CIO offices work with ---------- management and the Coast\nGuard CIO, to ensure the following corrective actions are implemented:\n\n     Special Report: Letter on Information Technology Matters Related to TSA\xe2\x80\x99s FY 2005\n                                    Financial Statements\n                                            A.3\n\x0c                                                                                              Attachment A\n\n\n\n    \xe2\x80\xa2   Enforce password controls that meet DHS password requirements, as prescribed in DHS Policy\n        4300A, Sensitive System Handbook, on all key financial systems.\n\n    \xe2\x80\xa2   Implement a formal process for performing periodic scans of the - ----------network environment,\n        including the financial processing environment, for the identification and correction of\n        vulnerabilities, in accordance with DHS 4300A DHS Policy and Federal guidance, the National\n        Institute of Standard and Technology, Special Publication, 800-42, Guideline on Network\n        Security Testing.\n\n    \xe2\x80\xa2   Develop formal entity-wide procedures for controlling the processes associated with the granting,\n        monitoring, and terminating of ----- user accounts that require the periodic revalidation of -----\n        user profiles by local security administrators.\n\n    \xe2\x80\xa2   Develop procedures for the regular and periodic monitoring of high-level ----- database\n        administrators, system administrators, and system accounts to ensure that transactions are\n        authorized and appropriate. The reviews should be performed by an individual in management\n        that does not have the same logical access authority.\n\n    \xe2\x80\xa2   Develop and implement formal -- -------- data center access procedures for requesting, granting,\n        and removing access to the data center; performing regular reviews of physical access privileges;\n        and retaining evidence of such reviews.\n\n    \xe2\x80\xa2   Develop, document, and implement a formalized method to track information system-related\n        items entering and exiting the ---------- facility and maintain appropriate records.\n\nApplication Software Development and Change Control\n\nDuring FY 2005, we noted that the Coast Guard\xe2\x80\x99s ---------- took corrective actions to address IT control\nissues related to application software changes. However, we noted that in some cases the application\nsoftware development and change control procedures and documentation were not consistent with DHS\nand Federal guidance. Regarding application software development and change controls that impact\nTSA\xe2\x80\x99s financial processing, we noted instances of weakness in change control processes supporting the\n------------------------------ - ----- - Specifically, procedures were not developed, documentation supporting\nrisk assessments of software patches was not retained, formal change request forms were not in use, and\ntest plans and results were not documented.\nRecommendation:\nWe recommend that the TSA CFO and CIO offices work with ---------- management and the Coast\nGuard CIO, to ensure that the following corrective actions are implemented:\n    \xe2\x80\xa2   Develop and enforce configuration management procedures for development of test plans,\n        documentation of test results, delivery and implementation of software, and management\n        approval of system changes for normal and emergency upgrade situations.\n\n    \xe2\x80\xa2   Retain all risk assessment and testing documentation to provide an audit trail for all changes.\n\nSystem Software\n     Special Report: Letter on Information Technology Matters Related to TSA\xe2\x80\x99s FY 2005\n                                    Financial Statements\n                                            A.4\n\x0c                                                                                            Attachment A\n\n\n\nWe noted weaknesses in programs designed to operate and control the processing activities of computer\nequipment. Weaknesses in this control area, closely linked to entity-wide security and access controls,\nincrease the likelihood that unauthorized individuals using system software could circumvent security\ncontrols to read, modify, or delete critical or sensitive information and programs. Authorized users of the\nsystem could gain unauthorized privileges to conduct unauthorized actions, and/or systems software could\nbe used to circumvent edits and other controls built into application programs.\n\nRegarding system software controls at the Coast Guard ---------- that impact TSA\xe2\x80\x99s financial processing,\nwe noted that policies and procedures for restricting and monitoring access to operating system software\nwere not developed or were inadequate.\n\nRecommendation:\nWe recommend that the TSA CFO and CIO offices work with ---------- management and the Coast\nGuard CIO, to ensure that the following corrective actions are implemented:\n\n   \xe2\x80\xa2     Develop policies and procedures to address access to ----- and ----- in the operating system\n         environment that include steps for granting, approving, and reviewing access; definitions of levels\n         of access; and steps for terminating access for ----- and ----- .\n\n   \xe2\x80\xa2     Develop policies and procedures for the type of monitoring that each ------- system administrator\n         should perform both on a daily and periodic basis, and periodically test the effectiveness of the\n         current monitoring process to ensure that unauthorized events are correctly identified.\n\nService Continuity\n\nDuring FY 2005, we noted that the Coast Guard had begun corrective actions to address prior year\nweaknesses related to the back-up and protection of critical system data. Despite these improvements,\nweaknesses related to disaster recovery plans and business continuity plans continue to exist. These\nissues are important because losing the capability to process, retrieve, and protect information maintained\nelectronically can significantly affect TSA\xe2\x80\x99s ability to accomplish its mission.\n\nConditions noted at the Coast Guard - --------- regarding service continuity controls that impact TSA\xe2\x80\x99s\nfinancial processing are as follows:\n    \xe2\x80\xa2    The ---------- business continuity plan did not adequately include procedures for restoring -----\n         and ----- financial systems, and disaster recovery plans for the systems had not been developed.\n    \xe2\x80\xa2    Relocation of the off-site storage location to a geographically safe distance from the primary data\n         center was not complete.\n    \xe2\x80\xa2    The -------- -- business continuity plan had not been tested or updated to reflect changes in\n         hardware, software, or the off-site storage location.\n\nRecommendation:\nWe recommend that the TSA CFO and CIO offices work with ---------- management and the Coast\nGuard CIO, to ensure that the following corrective actions are implemented:\n       Special Report: Letter on Information Technology Matters Related to TSA\xe2\x80\x99s FY 2005\n                                      Financial Statements\n                                              A.5\n\x0c                                                                                             Attachment A\n\n\n\n    \xe2\x80\xa2   Periodically reassess and, as appropriate, revise the ---------- business continuity plan to reflect\n        changes in hardware, software, and the off-site storage location, and include adequate steps for\n        the restoration of financial systems.\n\n    \xe2\x80\xa2   Develop disaster recovery procedures for ----- and ----- that detail processes for re-establishing\n        hardware, software, and telecommunications connectivity.\n\n    \xe2\x80\xa2   Complete the relocation of the off-site storage location further away from the -- -------- primary\n        data center.\n\n    \xe2\x80\xa2   Periodically test the business continuity plan and evaluate the results so that the plan can be\n        adjusted to correct any deficiencies identified during testing.\n\n                             APPLICATION CONTROL FINDINGS\n\nDuring FY 2005, we noted weaknesses in access and account management controls associated with key\nTSA financial applications hosted by -- -------- , such as the core financial and procurement applications.\nMany of these weaknesses were identified during our general controls testing; however, since these same\nissues also impact controls over specific key financial applications, they are reported here as well.\n\nConditions noted regarding application controls that impact TSA\xe2\x80\x99s financial processing are as follows:\n\n    \xe2\x80\xa2   Instances of missing and weak user passwords on key application servers and databases were\n        identified.\n\n    \xe2\x80\xa2   Policies and procedures requiring local security administrators to periodically revalidate ----- user\n        profiles were not implemented. Additionally, evidence of reviews of ----- user accounts for the\n        removal of accounts for separated personnel was not available.\n\n    \xe2\x80\xa2   High-level ----- database administrator, system administrator, and system accounts were not\n        actively monitored.\n\n    \xe2\x80\xa2   Certain erroneous personnel records had not been corrected.\n\nRecommendation:\n\nWe recommend that the TSA CFO and CIO offices work with ------------management and the Coast\nGuard CIO, to ensure that the following corrective actions are implemented:\n\n    \xe2\x80\xa2   Enforce password controls that meet DHS password requirements, as prescribed in DHS Policy\n        4300A, Sensitive System Handbook, on all key financial systems.\n\n    \xe2\x80\xa2   Develop formal entity-wide procedures for controlling the processes associated with the granting,\n        monitoring, and terminating of ----- user accounts that require the periodic revalidation of -----\n        user profiles by local security administrators.\n\n\n     Special Report: Letter on Information Technology Matters Related to TSA\xe2\x80\x99s FY 2005\n                                    Financial Statements\n                                            A.6\n\x0c                                                                                           Attachment A\n\n    \xe2\x80\xa2   Develop procedures for the regular and periodic monitoring of high-level ----- database\n        administrators, system administrators, and system accounts to ensure that transactions are\n        authorized and appropriate. The reviews should be performed by an individual in management\n        that does not have the same logical access authority.\n\n    \xe2\x80\xa2   Ensure that erroneous personnel records are corrected and that evidence of corrective actions\n        taken is retained on file.\n\n\n\n\nMANAGEMENT COMMENTS AND OIG EVALUATION\n\nWe obtained written comments on a draft of this report from the TSA Assistant Administrator for Finance\nand Administration and Chief Financial Officer. Generally, the TSA CFO agreed with all of the report\xe2\x80\x99s\nfindings and recommendations. We have incorporated the comments where appropriate and included a\ncopy of the comments in their entirety at Appendix E.\n\n\nIn his response, the TSA CFO stated that:\n\n\n        \xe2\x80\xa2   The report identified a series of information technology related internal control weaknesses\n            that stem from TSA\xe2\x80\x99s use of the United States Coast Guard (USCG) financial application.\n        \xe2\x80\xa2   During FY 2006, the USCG began corrective actions on these weaknesses.\n        \xe2\x80\xa2   TSA will continue to work closely with the USCG in FY 2007 to address the outstanding FY\n            2005 findings.\n\n\nOIG Response\n\n\nWe agree with the steps that TSA and USCG are taking to satisfy these recommendations.\n\n\n\n\n     Special Report: Letter on Information Technology Matters Related to TSA\xe2\x80\x99s FY 2005\n                                    Financial Statements\n                                            A.7\n\x0c                                                                                                      Attachment B\n\n\n\n\n            DESCRIPTION OF FINANCIAL SYSTEMS AND IT INFRASTRUCTURE\n\nBelow is a description of significant TSA financial management systems and supporting IT\ninfrastructure included in the scope of the FY 2005 financial statement audit engagement.\n\nLocations of Testing:\n-------------------------- ----------- --------- -------------- --- ---------------------------------------------- TSA\xe2\x80\x99s\nfinancial applications are hosted on the Coast Guard\xe2\x80\x99s IT platforms.\n\n\nKey Systems Subject to Testing:\nThe Coast Guard is TSA\xe2\x80\x99s accounting services provider.                    The following is a list of key TSA\napplications used for financial processing.\n\n\xe2\x80\xa2   --------------------------------------- ---------- is the core accounting system that records financial\n    transactions and generates financial statements for TSA. ----- is hosted at ---------- , the Coast\n    Guard\xe2\x80\x99s primary data center.\n\n\xe2\x80\xa2   ---------------- --------------------------------- ---------------- application is used to create and post\n    obligations to ----- . It allows users to enter funding, create purchase requests, issue procurement\n    documents, perform system administration responsibilities, and reconcile weekly -- -------\n    ------ ------------------- Reports.\n\n\xe2\x80\xa2   -- - -------------------------------------------------------- --- - is the document image processing system,\n    which is integrated with an ------ --------------- ------ relational database. -- ---- allows electronic\n    data and scanned paper documents to be imaged and processed for data verification,\n    reconciliation, and payment. ------- utilizes MarkView software to scan documents, to view the\n    images of scanned documents, and to render images of electronic data received.\n\n\xe2\x80\xa2   ------------------------------------------------ ------------- ------- maintains TSA payroll data; calculates\n    pay, wages, and tax information; and maintains service history and separation records. ----- - -\n    interfaces with the --------- ------------------------ - -------- ----- -------- ----------------------------------- ,\n    and the ----------------------------------------- - -------- ------------- --- -- ------------, and receives other\n    data inputs. ------- is a mainframe application.\n\n\xe2\x80\xa2   ---------------------------------- ----------------------------- ------------------- --- \xe2\x80\x93 --------- is the U.S.\n    Department of Transportation\xe2\x80\x99s (DOT) personnel management system. The system processes and\n    tracks personnel actions and employee related data for TSA, including employee elections for the\n    Thrift Savings Plan (TSP), life insurance, and health insurance as well as training data and general\n    employee information (e.g., name and address). --- ----- is also used to maintain information\n    related to budget, training, civil rights, labor relations and security. --------- is a mainframe\n    application. --------- interfaces with -------- to allow ------- to perform the calculation of pay, time\n    and attendance reporting, leave accounting, and wage and tax reporting. ------- also uses the\n\n      Special Report: Letter on Information Technology Matters Related to TSA\xe2\x80\x99s FY 2005\n                                     Financial Statements\n                                             B.1\n\x0c                                                                                                           Attachment B\n\n\n\n\n    information received from --------- to initiate payroll deductions for TSP, insurances, Combined\n    Federal Campaign contributions, and savings bonds.\n\n\xe2\x80\xa2   -------------------------------- --------------------------- \xe2\x80\x93 ------ processes requests for personnel action,\n    training enrollments, and time and attendance information. ------- interfaces with --------- and\n    ------- to receive time and attendance and payroll information. ------ also interfaces with the ------\n    ------------- ------------------ ---------- system. ----- is a client/server system that provides reporting\n    capability through an Oracle database.\n\nOn August 22, 2005, TSA payroll and time and attendance processing moved to the National Finance\nCenter (NFC) system administered by the Department of Agriculture. For payroll, TSA will be using\n-------------- ----- -------------------------------------- ----- , which will interface with the NFC system. The\n----------- -- - --------- ----- --------------------------- -- - ------------------------- ----- . The ----------- -- -------\nsystem will also interface with the NFC system.\n\n\n\n\n      Special Report: Letter on Information Technology Matters Related to TSA\xe2\x80\x99s FY 2005\n                                     Financial Statements\n                                             B.2\n\x0c                                                                                        Attachment C\n\n\n\n\n  TSA IT NOTICES OF FINDINGS AND RECOMMENDATIONS THAT\nCONTRIBUTED TO THE DEPARTMENT\xe2\x80\x99S MATERIAL WEAKNESS OVER\n                FINANCIAL SYSTEM SECURITY\n\n\n                                                                              New     Repeat\n   NFR #             Condition                      Recommendation\n                                                                              Issue    Issue\n                                              TSA management should\n                                              work with - ---------\n                                              management to ensure the\n            Formal procedures                 development and\n            regarding access to the           implementation of formal\n   TSA-IT\n            ------ - -- data center have      data center access               X\n   05-001\n            not been established and          procedures and a\n            implemented.                      formalized method to track\n                                              information system-related\n                                              items entering and exiting\n                                              the facility.\n   TSA-IT\n   05-002   Was not used.                     N/A                             N/A      N/A\n\n            -------- -------- change\n            control process supporting        TSA management should\n            --- -- -- - -- ----------------   work with - ---------\n            ------ - and -- - - ------        management to ensure the\n            -- ----- --- -- --- - -- ---      development and\n            ---- --- have weaknesses          enforcement of\n            including: procedures in          configuration management\n  TSA-IT-   support of the finalized          procedures for developing\n                                                                               X\n   05-003   CM policy are not                 test plans, documenting test\n            developed, documentation          results, implementing\n            supporting a risk                 software, management\n            assessment is not                 approval of system\n            maintained, formal change         changes, and retention of\n            requests are not used, and        risk assessment and testing\n            test plans and test results       documentation.\n            are not documented.\n                                              TSA management should\n            Service continuity\n                                              work with - ---------\n            weaknesses for ---------- ,\n                                              management to ensure the\n            ----- , and ----- , including\n                                              periodic reassessment and,\n            outdated Business\n                                              as appropriate, revision of\n            Continuity Contingency\n                                              the ---------- BCCP,\n  TSA-IT-   Plan (BCCP), lack of\n                                              development of disaster          X\n   05-004   disaster recovery\n                                              recovery procedures for\n            procedure details, an off-\n                                              ----- and --- -- , completion\n            site storage location in\n                                              of the relocation of the off-\n            close proximity to the data\n                                              site storage location, and\n            center, and lack of BCCP\n                                              periodic testing of the\n            testing exist.\n                                              BCCP.\n\nSpecial Report: Letter on Information Technology Matters Related to TSA\xe2\x80\x99s FY 2005\n                               Financial Statements\n                                       C.1\n\x0c                                                                                            Attachment C\n\n\n\n\n                                                                                  New     Repeat\n   NFR #               Condition                      Recommendation\n                                                                                  Issue    Issue\n                                                 TSA management should\n                                                 work with - ---------\n            Documented procedures                management to ensure the\n            do not exist for controlling         development of formal\n            the processes associated             entity wide procedures for\n  TSA-IT-\n            with the granting,                   granting, monitoring, and         X\n   05-005\n            monitoring, and                      terminating ----- user\n            termination of user                  accounts and periodic\n            accounts within ----- .              revalidation of ----- user\n                                                 profiles by local security\n                                                 administrators.\n            -------- -- has not\n                                                 TSA management should\n            developed documented\n                                                 work with - ---------\n            policies and procedures to\n                                                 management to ensure the\n            restrict access to the -------\n                                                 development of policies and\n            operating system, to\n                                                 procedures for restricting\n   TSA-IT   monitor access to this\n                                                 and monitoring access to          X\n   05-006   system, and for periodic\n                                                 the ------- operating system\n            reviews to determine if\n                                                 for ----- and - - -- and\n            monitoring of the ---- ---\n                                                 performance of period\n            operating system for ------\n                                                 reviews of the monitoring\n            and ----- is functioning as\n                                                 process.\n            intended.\n            Certification and\n            Accreditation (C&A) of\n                                                 TSA management should\n            the ---- -- --- ------------\n                                                 work with - ---------\n            ---- ---- ----- --- -- ---- ---- -\n                                                 management to ensure the\n            ----- , and ----- was not\n                                                 update and completion of\n   TSA-IT   complete. Specifically,\n                                                 the C&A process for               X\n   05-007   security testing and\n                                                 --- ---- ------ , and ----- to\n            evaluation (ST&E) was\n                                                 include the completion of\n            incomplete and security\n                                                 ST&E, and the update of\n            plans had not been\n                                                 security plans.\n            updated.\n\n                                                 TSA management should\n            -------- -- has not\n                                                 work with - ---------\n            implemented formal\n                                                 management to ensure the\n            procedures for the periodic\n                                                 development of procedures\n            management review and\n  TSA-IT-                                        for the regular and periodic\n            monitoring of activities of                                            X\n   05-008                                        monitoring of high-level\n            ----- database\n                                                 ----- database administrator\n            administrators, system\n                                                 and system administrator\n            administrators, and the\n                                                 activities, and the --------\n            -------- SYS accounts.\n                                                 SYS account.\n\n\n\n\nSpecial Report: Letter on Information Technology Matters Related to TSA\xe2\x80\x99s FY 2005\n                               Financial Statements\n                                       C.2\n\x0c                                                                                      Attachment C\n\n\n\n\n                                                                            New     Repeat\n   NFR #            Condition                   Recommendation\n                                                                            Issue    Issue\n                                           TSA management should\n                                           work with - ---------\n                                           management to ensure the\n            The Enterprise Security        implementation of the\n            Management tool                individual fixes noted in the\n            identified world writeable     NFR for vulnerabilities\n  TSA-IT-\n            directories without a sticky   identified and the institution    X\n   05-009\n            bit set and account            of a formal process for\n            management weaknesses          performing periodic scans\n            over ------ - .                of the -- ----- -- network\n                                           environment, including the\n                                           financial processing\n                                           environment.\n                                           TSA management should\n                                           work with - ---------\n                                           management to ensure the\n                                           implementation of the\n            AppDetective identified\n                                           individual fixes noted in the\n            vulnerabilities on the -----\n                                           NFR for vulnerabilities\n  TSA-IT-   database including weak\n                                           identified and institution of     X\n   05-010   passwords, excessive\n                                           a formal process for\n            access permissions and\n                                           performing periodic scans\n            missing patches.\n                                           of the -- ----- -- network\n                                           environment, including the\n                                           financial processing\n                                           environment.\n                                           ------ - -- management\n            Internet Security Systems\n                                           implemented immediate\n  TSA-IT-   Internet Scanner identified\n                                           corrective action by              X\n   05-011   three hosts that were\n                                           removing the --- --- -- --\n            missing patches.\n                                           ------ from the three hosts.\n                                           TSA management should\n            Inaccuracies exist within      ensure that personnel errors\n            TSA personnel records          regarding separated\n   TSA-IT   which address separated        employees cited during the\n                                                                                      X\n   05-012   employee issues and other      prior year audit are\n            erroneous personnel            corrected and\n            records.                       documentation of corrective\n                                           actions is retained on file.\n\n\n\n\nSpecial Report: Letter on Information Technology Matters Related to TSA\xe2\x80\x99s FY 2005\n                               Financial Statements\n                                       C.3\n\x0c                                                                                           Attachment D\n\n\n\n\n          STATUS OF PRIOR YEAR TSA IT NOTICES OF FINDINGS AND\n                          RECOMMENDATIONS\n\n\n                                                                                          Disposition\nNFR No.                                 Description\n                                                                                     Closed         Repeat\n          Segregation of duties is not properly enforced in the Delphi Application\n 04-01                                                                                 X\n          within FFMS.\n          Weaknesses in Delphi access controls, network security, and system\n 04-02                                                                                 X\n          security controls.\n 04-03    System financial integrity issues identified in the Delphi application.      X\n          Inaccuracies exist within TSA personnel records which addresses both\n 04-04                                                                                             05-012\n          separated employee issue and other erroneous personnel records.\n\n\n\n\n   Special Report: Letter on Information Technology Matters Related to TSA\xe2\x80\x99s FY 2005\n                                  Financial Statements\n                                          D.1\n\x0c                                                                        Attachment E\n\n\n\n\nSpecial Report: Letter on Information Technology Matters Related to TSA\xe2\x80\x99s FY 2005\n                               Financial Statements\n                                       E.1\n\x0c                                                                        Attachment E\n\n\n\n\nSpecial Report: Letter on Information Technology Matters Related to TSA\xe2\x80\x99s FY 2005\n                               Financial Statements\n                                       E.2\n\x0c                                                                        Attachment E\n\n\n\n\nSpecial Report: Letter on Information Technology Matters Related to TSA\xe2\x80\x99s FY 2005\n                               Financial Statements\n                                       E.3\n\x0c                                                                        Attachment E\n\n\n\n\nSpecial Report: Letter on Information Technology Matters Related to TSA\xe2\x80\x99s FY 2005\n                               Financial Statements\n                                       E.4\n\x0c                                                                        Attachment E\n\n\n\n\nSpecial Report: Letter on Information Technology Matters Related to TSA\xe2\x80\x99s FY 2005\n                               Financial Statements\n                                       E.5\n\x0c    Report Distribution\n\n    Department of Homeland Security\n\n    Secretary\n    Deputy Secretary\n    Chief of Staff\n    Deputy Chief of Staff\n    General Counsel\n    Executive Secretariat\n    Under Secretary, Management\n    Director, TSA\n    Chief Information Officer\n    Deputy Chief Information Officer\n    Chief Financial Officer\n    Chief Information Officer, TSA\n    Chief Financial Officer, TSA\n    Assistant Secretary, Public Affairs\n    Assistant Secretary, Policy\n    Assistant Secretary, Legislative and Intergovernmental Affairs\n    DHS GAO OIG Audit Liaison\n    Chief Information Officer Audit Liaison\n    TSA Audit Liaison\n    Chief Privacy Officer\n\n    Office of Management and Budget\n\n    Chief, Homeland Security Branch\n    DHS Office Budget Examiner\n\n    Congress\n\n    Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nSpecial Report: Letter on Information Technology Matters Related to TSA\xe2\x80\x99s FY\n                           2005 Financial Statements\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4100, fax your request to (202) 254-4285, or visit the OIG\nweb site at www.dhs.gov.\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind\nof criminal or noncriminal misconduct relative to department programs or\noperations, call the OIG Hotline at 1-800-323-8603; write to Department of\nHomeland Security, Washington, DC 20528, Attn: Office of Inspector\nGeneral, Investigations Division \xe2\x80\x93 Hotline. The OIG seeks to protect the\nidentity of each writer and caller.\n\x0c'